Finally, I got it working.
doc_return 200 "application/json; access-control-allow-origin:*;" $json
Furthermore, I found good references for CORS response headers. See bellow:
1) http://core.tcl.tk/tcl/artifact/63a30fa7fc4e7c9d
2) https://devcentral.f5.com/questions/adding-cors-response-headers
Nevertheless, I'd like to understand how CORS is applied in OACS and NS.
Any good documentation is welcome!
Best wishes,